Impact
Vim's netrw plugin contains a code injection flaw in the NetrwBookHistSave() function where directories are recorded into the ~/.vim/.netrwhist file. Because the directory names are interpolated into a single‑quoted Vimscript string without quoting inner single quotes, a user that can create a specially crafted directory name can break out of the string literal and execute arbitrary Vimscript, including system() and :! commands, when the history file is later sourced. The attacker can gain unrestricted code execution on the local machine that runs Vim, allowing full confidentiality, integrity, and availability compromise for that user.
Affected Systems
All users of Vim, version 9.2.0494 and earlier, are affected. Vendors: Vim. The vulnerability was patched in release 9.2.0495, so any installation of that version or later is safe.
Risk and Exploitability
With a CVSS base score of 7.3, the vulnerability is considered high severity. The EPSS score of 0.00269 indicates a very low but non‑zero exploitation probability. Exploitation requires the attacker to have the ability to create a directory with a crafted name on the local file system that Vim can access, and the victim must launch Vim and source the history file, which normally occurs on startup. Therefore the attack vector is local; it is not publicly exploitable over a network. The vulnerability is not listed in the CISA KEV catalog, indicating limited known exploitation activity at present.
OpenCVE Enrichment
Ubuntu USN